This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
  • No problems seen with 9.500 regarding WebProxy and AD SSO. Updated two days ago to 9.501.

    Windows Server 2016 Environment, fully patched. Windows 10 Client, fully patched.

    After updating to 9.501 first no problems, some hours later already mentioned problems with HTTP Proxy and AD SSO. Tried some things, changing password of AD user having problems, and last but not least unjoined UTM, kept AD computer account, rejoined, rebooted. Everything worked for a couple of hours then the same problem occurs. I tried this with Firefox (52.2.0 ESR), Chrome (58.0.3029.110) and IE 11.

    Some minutes ago, I just tried to rejoin without unjoining first, doesn't help.

    In all cases this is logged in the WebProxy log:

    2017:06:20-07:50:16 bifroest httpproxy[21852]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xe6fc0400" function="adir_auth_process_negotiate" file="auth_adir.c" line="1636" message="gss_accept_sec_context: Key version number for principal in key table is incorrect"

    Flushing authentication cache, manual resync of AD group memberships doesn't help.

    I think the UTM doesn't renew its Kerberos ticket. Corresponding log on a DC that network preauthentication failed for UTM-Name$ account.

     

    Fehler bei der Kerberos-Vorauthentifizierung.

    Kontoinformationen:
        Sicherheits-ID:            <DOMAIN>\<ComputerAccountName>$
        Kontoname:                <ComputerAccountName>$

    Dienstinformationen:
        Dienstname:                krbtgt/<DOMAIN FQDN>

    Netzwerkinformationen:
        Clientadresse:               <UTM IP ADDRESS>
        Clientport:                33302

    Weitere Informationen:
        Ticketoptionen:            0x40000010
        Fehlercode:                0x18
        Typ vor der Authentifizierung:    2

    Zertifikatsinformationen:
        Zertifikatausstellername:       
        Seriennummer des Zertifikats:    
        Zertifikatfingerabdruck:       

    Zertifikatinformationen werden nur bereitgestellt, wenn ein Zertifikat zur Vorauthentifizierung verwendet wurde.

    Vorauthentifizierungtypen, Ticketoptionen und Fehlercodes sind in RFC 4120 definiert.

    Wenn das Ticket eine ungültige Form hat oder beim Transport beschädigt wurde und nicht entschlüsselt werden kann, sind viele Fehler dieses Ereignisses möglicherweise nicht vorhanden.

  • I had no problems with 9.500-9. Only after upgrade to 501. Remove from domain, delete account in Ad, sinc servers and rejoin works only for a few minutes.

    The problem is that I can't rollback to 9.500, because there is no ISO or gpg in up2date.

    I can't rollback to 414002 and stay in that version because we've done a lot of work since update to 9.500. There is only 9.414002 to 501005....

    Does anyone Know where can i get this  gpg file?  

     

    Thanks

     

     

    Thanks

  • No problems with 9.500-9. SSO problem started for my custmers with 9.501-5

    Also what would happen to my RED devices if I were to roll back?
    I have several Customers with HQ in Norway and Branch Offices in US, China, and other European Countries connected with a RED device, will these "downgrade" themselves?

    A roll back is not really practical for me as this would result in to much downtime. Will probably just have to wait for a fix...*sigh*

     

  • Updated 2 clients to 9.501-5 over the weekend and are seeing the exact same issue, SSO goes out the window until I rejoin them to the domain.  It lasted the all day Monday, came in this morning to the same issue. 

  • Keep getting new customers reporting http authentication problems. It does not seem to be a global issue thought, since some of them, with the latest up2date, are not experience this.

     Support just told me that there is no available WA and the only option for the time being (besides re-joining) would be to downgrade [:(]

  • The problem is that we cannot downgrade to 9.500. This version has no issues...

    Someone @Sophos: Is ther any chance for you to release again the 9.500 in the up2date ftp server?

  • Is there an solution planned?

     

    I have to rejoin the domain every Morning!!

  • we have the same problem in about 20 sites!

     

    how can it be fixed permanently?

     

    Sophos has to solve this ASAP - created a ticket

  • Hello, we have the same Problem. Our workaround is to disable the webproxy sso authentication to get access to the internet for the user´s. We have also create a support ticket by sophos.

     

    Best regards

    Kim

     

    Gruß

    Kim Rainer Sparke